The return of security as a service

4 Apr 2003

“Some of the companies out there are doing a good job on security, some are doing a poor job and some are doing nothing about it at all.” As managing director of Entropy, one of Ireland’s largest e-security firms, Conall Lavery has seen it all in terms of security threats and the way many businesses steadfastly refuse to spend money to keep hackers and viruses out, despite the obvious dangers.

If one was to be cynical about it, one could accuse him of overstating the threat in order to enhance sales of security products of companies such as his, but the evidence is definitely on his side. A major report on Irish business attitudes towards technology published only this week revealed that an astonishing 40pc of organisations do not have IT security policies in place, a figure that has risen from 23pc just two years ago (source: Information Society Commission/MRBI).

Lavery does not offer any deep explanations as to why companies are so loath to fork out on security but believes that, for small companies in particular, it is simply seen as unaffordable. “To date it’s been somewhat difficult to sell [to small businesses] because manufacturers of the products really didn’t scale them to fit within the budgets of small operators, although this is beginning to change.”

“A small company of 15 people has to buy effectively the same server as a company with 500 people,” he adds, explaining the disproportionate cost borne by smaller businesses when it comes to putting anti-virus systems in place. “There’s the budget problem but there’s also an expertise problem: they often don’t have the expertise in-house to install it, maintain it, manage it and fix it when they break.”

Lavery believes that the negative perception that SMEs (small and medium-sized enterprises) have of the cost of security systems presents an opportunity to deliver the same protection as a service rather than as a product. In fact, the company has recently begun trialling a virus scanning service on behalf of one of its clients. When an email arrives at the company’s network, it gets routed to Entropy’s own servers where it gets checked for viruses before being routed back to the client. This all sounds very sensible were it not for the fact that Entropy got its fingers badly burnt when it previously tried to go down the managed services road. “We had a high-profile shot at raising some funding for that a couple of years ago,” says Lavery ruefully. “In fact, we even went further than that: we started to build it here ourselves and we spent a lot of money and time trying to put it altogether. We didn’t get the funding so we mothballed it all.”

He adds that the new service is a much more modest – and from Entropy’s point of view much less costly – version of the original concept which was to provide managed services on a grand scale using banks of servers in a hosting centre and a fully automated network control centre. If Entropy managed services mark two is looking more promising, the next logical step will be to provide a hosted service via a data centre to offer clients full redundancy between servers and internet service providers. Whereas originally Entropy planned to offer managed services to clients big and small, the plan now is to focus on smaller businesses, which traditionally lag behind their larger cousins in their usage of IT security systems.

Like coffin-makers during a plague, security consultants are almost guaranteed work at a time of rising net use and growing sophistication among hackers and virus writers. But if you thought things could not get any worse when it comes to computer security, think again. Lavery is convinced that a new wave of IT security threats is about to crash on the unsuspecting corporate community courtesy of broadband internet connections. “In the next 12 months, DSL [digital subscriber line] is going to be rolled out to a lot of small companies but once you go always-on rather than dial-in you are much more susceptible to being hacked or attacked,” he observes.

It is generally accepted that badly written web applications are another area of potential weakness for companies. Following an agreement signed with Israeli software supplier Sanctum, Entropy is preparing to launch two of Sanctum’s security products on the Irish market to address just this issue. One is a vulnerability assessment tool called Apps Shield that a company can use to identify weaknesses within its website. The other is Web Shield, a new type of product called a web applications firewall that sits in front of the web server and blocks unauthorised attempts to access the server. Other security vendors with which Entropy has partnerships include Nokia, RSA, F5 and Trend Micro.

Between DSL security issues and the new scourge of web applications hacking, the next 12 months could be a busy time for e-security companies such as Entropy.

By Brian Skelly